Are report uploads supposed to send CORS preflights? #41
Comments
I think we're ok here: the The intent for the Reporting API was to do The Right Thing(tm) with regard to CORS. That said, I don't think it currently has enough information to set a reasonable |
But Step 12 only triggers a preflight if one of the |
Hrm. I think you're right. I've been misreading that for a while, apparently. :) We should either be setting the |
|
(We should maybe consider changing the setup in Fetch to make it harder to do the wrong thing. The reason the unsafe-request flag exists is so that |
|
Mike, this is one of the main issues blocking shipping Reporting API, right? Are you the right person to drive it, or do you want to assign it to someone else? |
We'd want this to be the origin of the reports in the upload, right? (i.e., the origin of the requests that the reports describe) That, in turn, would mean that each report upload could only contain reports that have the same origin. We couldn't batch reports about multiple different origins together into a single upload if they happen to use the same upload URLs. (I think we've talked about that being a good thing to prohibit regardless of the CORS discussion.) |
Having thought about this some more, I'd like to revisit this question. Short version is that I think we can have Reporting use CORS preflights for report uploads would:
But for (1), report uploads have no response content, and even if they did, those responses are already never delivered to web content (even if a CORS preflight response would tell the browser it was allowed). For (2), I don't think the collector can rely on CORS preflights to prevent uploads about origins it doesn't care about. For instance, we want Reporting to work with non-browser user agents (which will typically not implement CORS at all). So the collector will have to filter reports that it receives anyway. If we change report uploads to use
Thoughts? |
|
We should stop trying to bypass the same origin policy, and the protections like CORS, for browser-initiated fetches. Although it may be technically doable or even secure, it sets a bad precedent for the ecosystem, that browser engineers continually try to bypass the security infrastructure we have in place when they go to write standards. no-cors is supposed to be treated as legacy, and we've been trying to stick to that when adding new features to the web platform (e.g. module scripts). |
|
I don't think that the "bad precedent" argument is very strong, as preflights have a real cost and sometimes it makes sense to avoid them. At the same time, I'm not sure that bypassing preflights here is the right call:
@mikewest and @estark - do you agree with the above? @dcreager - Is there a significant cost to adding preflight support to the collection infrastructure? Any use-cases which adding a preflight will somehow hurt? |
|
@yoavweiss As long as the preflight response includes a suitable |
Nah, it'll be easy enough to have the collectors respond to preflight requests. My main concern was that we also have to support non-browser clients, which don't typically implement CORS. So while the collectors can reply to preflights to make browser uploads work, the collection infrastructure will still have to verify that incoming report uploads are for origins that it's willing to collect, since it can't assume that every user agent will have already used CORS to verify that. |
|
[I fat-fingered the UI, so the previous comment is edited from any email notifications you might have just received] |
That doesn't diminish the value of CORS, though. The point of sending the preflight is to ensure that web content can't trigger unexpected requests to servers that can exploit or break those servers. Non-web clients might do whatever they want, and servers have to be prepared for that, but the point of CORS is to give servers guarantees about what web content can do. |
|
Got it! In that case #97 has the updated spec text that turns on preflights for report uploads. |
|
Closed by #97 |
As of w3c/reporting#41, the Reporting spec sends CORS preflights for report uploads if the origin of the collector is different than the origin of the reports in the upload. That means we can remove Reporting from the CORS protocol exception list.
Per w3c/reporting#41, a reporting upload should only contain reports about a single origin. This will allow us to send a CORS preflight for that origin, if it differs from the origin of the collector receiving the reports. This patch also removes the notion of an endpoint being "pending". In the spec, a "pending endpoint" is one that has been taken out of the rotation because of too many failures; we're handling this with a per-endpoint BackoffEntry. And now that we're creating separate uploads for each origin that uses a collector, we don't want to penalize any of them by serializing their uploads. Bug: 860802 Change-Id: I45cf905bd9ec3491e61aa0567c6dc0a19e957313 Reviewed-on: https://chromium-review.googlesource.com/1128599 Commit-Queue: Douglas Creager <[email protected]> Reviewed-by: Misha Efimov <[email protected]> Cr-Commit-Position: refs/heads/master@{#573815}
Per w3c/reporting#41, we're supposed to send a CORS preflight request before uploading reports, if the origin of the reports is different than the origin of the collector. There is existing CORS preflight code in both Blink and the Network Service. Code in //net isn't allowed to depend on either of those; instead of using a delegate to handle the inverted dependency, we just send out the preflight request by hand, just like the Expect-CT code does. Bug: 860802 Change-Id: Ib20db54d3d2597d9fbacfe356e61cc6d3bc9d5fc Reviewed-on: https://chromium-review.googlesource.com/1128600 Commit-Queue: Douglas Creager <[email protected]> Reviewed-by: Misha Efimov <[email protected]> Cr-Commit-Position: refs/heads/master@{#574836}
As of w3c/reporting#41, the Reporting spec sends CORS preflights for report uploads if the origin of the collector is different than the origin of the reports in the upload. That means we can remove Reporting from the CORS protocol exception list.
As of w3c/reporting#41, the Reporting spec sends CORS preflights for report uploads if the origin of the collector is different than the origin of the reports in the upload. That means we can remove Reporting from the CORS protocol exception list.
http://wicg.github.io/reporting/#try-delivery sets the request's
modeto"cors", but does not set theunsafe-requestflag or theuse-CORS-preflightflag. So I might be misreading Fetch, but I think that means that CORS preflights are skipped?Because reports have a non-CORS-whitelisted header (
Content-Type: application/report), it seems like they should use preflights.Are reports intended to send CORS preflights? If not, what's the justification?
cc @annevk @mikewest
The text was updated successfully, but these errors were encountered: